Fix various edge-cases when parsing EL, particularly inside attribute
values. Note the the Expert Group has confirmed that JSP.1.6 takes
precedence over JSP.1.3.10. Therefore EL in attributes must be escaped
twice. (markt)

46047: Include the path to the JAR when recording
dependencies that are located inside a JAR file. Patch provided by
Cédric Mailleux. (markt)

46381: Composite expressions used for attribute values must
be coerced to Strings. (markt)

42750: Request line should be tolerant of multiple
whitespaces. (markt/fhanik)

42934: Change the order of events on context start so
contextInitialized() event is fired before
sessionDidActivate(). The spec isn't 100% clear on the
required order but this seems more logical than the current behaviour.
(markt)

43150: Allow Tomcat to start correctly when installed on a
path that contains a # character. (markt)

The fix for 43285 had the side-effct of coercing
null values to zero. This side-effect has been made
configurable with a system property,
org.apache.el.parser.COERCE_TO_ZERO which defaults to
true. Patch provided by Nils Eckert. (markt)

43343: Correctly handle requesting a session we are in the
middle of persisting. Based on a suggestion by Wade Chandler. (markt)

44562: HEAD requests cannot use includes. Patch provided by
David Jencks. (markt)

44595: Add possibility to request the QueueSize of an
executor via JMX. (jfclere)

Fix CGI Servlet so it correctly reads the environment variables on
Vista. (markt)

44611: DirContextURLConnection didn't implement
getHeaderFields(), getHeaderField(String name) was case sensitive and
returned "" rather than null for header values that did not exist. Patch
provided by Chris Hubick. (markt)

44633: Provide a more helpful error message if a class can't
be loaded due to a version error. (rjung/markt)

44646: Correct various issues, including an ISE, in
CometConnectionManagerValve. (markt)

45015: You can't use an unescaped quote if you quote the
value with that character. (markt/fhanik)

Add HTML filtering of error messages for included resources in case the
app has tried to include an unsafe URL that does not exist. This is
really an app responsibility but the filtering has been added for XSS
safety. (markt)

Update commons-logging to version 1.1.1 and the NSIS installer to 2.34.
(markt)

Update to commons-pool version 1.4, native version 1.1.12 and update
the download location for the commons libraries. (markt)

Change chunked input parsing, always parse CRLF directly after a chunk has been
received, except if data is not available. If data is not available for CRLF
parsing, we run into BZ 11117, and must defer the parsing of CRLF to the next read event.
This fixes the incorrect blocking when using CometProcessor and the draining data during the READ event
where it before would block incorrectly waiting for the next chunk (fhanik)

The CometProcessor interface now extends the javax.servlet.Servlet interface(fhanik)

Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)

Fix handling of CometEvent.close when called during BEGIN event (fhanik)

43594: Use setenv from CATALINA_BASE (if set) in preference
to the one in CATALINA_HOME. Patch provided by Shaddy Baddah.
(markt/jim)

Cookie handling/parsing changes!
The following behavior has been changed with regards to Tomcat's cookie handling
a) Cookies containing control characters, except 0x09(HT), are rejected using an InvalidArgumentException
b) If cookies are not quoted, they will be quoted if they contain tspecials(ver0), tspecials2(ver1) characters
c) Escape character '\\' is allowed and respected as a escape character, will be unescaped during parsing

Cookie parsing of $Version regression from 6.0.15 has been fixed

The script that builds the windows installer was including additional
files due to the way it processes recurrsive file selectors. The
selectors have been modified to only include the intended files. (markt)

43435: Don't iterate and relocate sessions if they are not part of the map.

43356: Keystore parameter is relative to CATALINA_BASE,
Truststore is either defined as parameter, javax.net.ssl.trustStore or if empty
defaults to the keystore.
SSL Client cert authentication changed from boolean to "true|false|want" (fhanik)

30949: Improve previous fix. Ensure requests are re-cycled
on cross-context includes and forwards when an exception occurs in the
target page. (markt)

42944: Correctly handle servlet mappings that use a '+'
character as part of the url pattern. (markt)

42951: Don't use CATALINA_OPTS when stopping Tomcat. This
allows options for starting and stopping to be set on JAVA_OPTS and
options for starting only to be set on CATALINA_OPTS. Without this
fix, some startup options (eg the port for remote JMX) would cause
stop to fail. Based on a fix suggested by Michael Vorburger.
Port of r454193 (36976) from Tomcat 5.5.x. (markt,rjung)

Fixed NIO memory leak caused by the NioChannel cache not working properly.

Added flag to enable/disable the usage of the pollers selector instead of a Selector pool
when the serviet is reading/writing from the input/output streams
The flag is -Dorg.apache.tomcat.util.net.NioSelectorShared=true

Requests with multiple content-length headers are now rejected. (markt)

41217: Set secure attribute on SSO cookie when cookie is
created during a secure request. Patch provided by Chris Halstead.
(markt)

40524: HttpServletRequest.getAuthType() now returns
CLIENT_CERT rather than CLIENT-CERT for certificate authentication
as per the spec. Note that web.xml continues to use CLIENT-CERT to
specify the certificate authentication should be used. (markt)

41401: Add support for JPDA_OPTS to catalina.bat and add a
JPDA_SUSPEND environment variable to both startup scripts. Patch
provided by Kurt Roy. (markt)

Use the tomcat-native-1.1.10 as recommended version.
OpenSSL detection on some platforms was broken 1.1.8 will continue to work,
although on some platforms there can be JVM crash if IPV6 is enabled and
platform doesn't support IPV4 mapped addresses on IPV6 sockets.